Sponsored by..

Tuesday, 8 December 2015

Malware spam: "Updated Statement - 2323191" / "David Lawale [David.Lawale@buildbase.co.uk]"

This fake financial spam does not come from Buildbase but is instead a simple forgery with a malicious attachment.


From:    David Lawale [David.Lawale@buildbase.co.uk]
Date:    8 December 2015 at 10:58
Subject:    Updated Statement - 2323191

Hi,

Please find attached copy updated statement as your account has 3 overdue incoices. Is there any reasons why they haven’t yet been paid?

Kind Regards

David

David Lawale | Credit Controller | Buildbase
Harvey Road, Basildon, Essex, SS13 1QJ
www.buildbase.co.uk


Attached is a file 151124142451_0001.xls which I have seen come in two versions so far (VirusTotal results [1] [2]). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan.

UPDATE 1
Automated analysis is inconclusive [1] [2] [3] [4] [5] [6]. It is possible that there is an error in the macro.

UPDATE 2
According to the comments in this post and also some other sources, the the macros download from:

gulteknoofis.com/76re459/98uy76t.exe
kinderdeszorns.de/76re459/98uy76t.exe
agencjareklamowalodz.com/76re459/98uy76t.exe


This has a detection rate of 4/55. According to these reports [1] [2] [3] and other sources, the malware phones home to:

216.189.52.147 (High Speed Web/Genesis 2 Networks, US)
23.113.113.105 (AT&T, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
78.47.66.169 (Hetzner, Germany)


MD5s:
0316dbd20fbfd5a098cd8af384ca950f
1b4283c8531653a5156911be1e6535
5a2140f864d98949d44945500a7d18
6ce6e2b915688f2b474e65813dc361


Recommended blocklist:
216.189.52.147
23.113.113.105
221.132.35.56
78.47.66.169



1 comment:

Unknown said...

http://gulteknoofis.com/76re459/98uy76t.exe or http://agencjareklamowalodz.com/76re459/98uy76t.exe
https://www.virustotal.com/en/file/f32547b5bb4abe56e6ba6ba0676466735ce8aa50be4beb1d90e43438c7296030/analysis/1449575422/

Most automatic analysers didn't work on this one
joesandbox did